4b88d014ff5456f0a977b13ad4bfdf1ad343c1e5764a000e10e6ee57b8558fca

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be7110fc899c1da195cf897ba2ec060N.exe
Size

135KB
MD5

6be7110fc899c1da195cf897ba2ec060
SHA1

d471694dce574389703b31ec88d95a6810a24748
SHA256

4b88d014ff5456f0a977b13ad4bfdf1ad343c1e5764a000e10e6ee57b8558fca
SHA512

4f4519220cdf9e253c52031b4de4e02034bb1cd998e6a71d95210a3ba73042255483c099a510a3242a46bfda0f7ff78fca2b33818f88c076704a1158d163e470
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVHU:UVqoCl/YgjxEufVU0TbTyDDaldU

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2856	explorer.exe
3204	spoolsv.exe
3304	svchost.exe
3500	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	6be7110fc899c1da195cf897ba2ec060N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be7110fc899c1da195cf897ba2ec060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2856	explorer.exe
3304	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4952	6be7110fc899c1da195cf897ba2ec060N.exe
4952	6be7110fc899c1da195cf897ba2ec060N.exe
2856	explorer.exe
2856	explorer.exe
3204	spoolsv.exe
3204	spoolsv.exe
3304	svchost.exe
3304	svchost.exe
3500	spoolsv.exe
3500	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2856	4952	6be7110fc899c1da195cf897ba2ec060N.exe	84
PID 4952 wrote to memory of 2856	4952	6be7110fc899c1da195cf897ba2ec060N.exe	84
PID 4952 wrote to memory of 2856	4952	6be7110fc899c1da195cf897ba2ec060N.exe	84
PID 2856 wrote to memory of 3204	2856	explorer.exe	86
PID 2856 wrote to memory of 3204	2856	explorer.exe	86
PID 2856 wrote to memory of 3204	2856	explorer.exe	86
PID 3204 wrote to memory of 3304	3204	spoolsv.exe	87
PID 3204 wrote to memory of 3304	3204	spoolsv.exe	87
PID 3204 wrote to memory of 3304	3204	spoolsv.exe	87
PID 3304 wrote to memory of 3500	3304	svchost.exe	88
PID 3304 wrote to memory of 3500	3304	svchost.exe	88
PID 3304 wrote to memory of 3500	3304	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\6be7110fc899c1da195cf897ba2ec060N.exe
"C:\Users\Admin\AppData\Local\Temp\6be7110fc899c1da195cf897ba2ec060N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2856
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3304
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
41bd57687cd32af552fb548ad12554dd

SHA1
2616a7cefe37957bf423129b0df7b4ed8c7fafe0

SHA256
f6cb1d383fb1c4fea0c5845deaf0b846e8b792593f2439e9598e976734cace9c

SHA512
2d923c6047d73a14af95f8e031d8f7fdfb90bdd1550da0ea5ba2e73c5c56bf93c2bd7965ca584397a39180bbccce1b0e70997eec70afb48d13a4b839390daa4d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e003e9263e394edf018d173159f160ce

SHA1
0fb4620ed0a7b5dc4fed59a9878afdb94b910788

SHA256
2a93e32e1277616389f5ecc4311b45c1e1baabcbc445a28d1c6c0a0aa2e9c5d8

SHA512
0ef314c5bf7e4f8437b1a0937cf4ee9b214f5902c9f56e39ac71ccbae79cdb0f80db8e16e6a97ab32e0efb5a86af19ac401d16ac762ad76e9596c6ab5f015959

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f6845f503e81b247f0737c9d25bb76ae

SHA1
c315552ebc7e249277d2d01572c239d93273d207

SHA256
bdf7dee19e7b7bc51f5e7a14817a8d609b287e496336d59676f28869900c30b2

SHA512
4c753e53a4522387d8f68e07e4ada697e16efebc9c56098da122c6ce8b4af7cc56cc1fb78e48f243592daacf24898e1a7d1b8310f3cd2a67ae26aa62172eb1bc

Download Submit
memory/3204-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3500-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download